Tuesday, September 4, 2012

How to Secure SSH with Google Authenticator’s Two-Factor Authentication

Want to secure your SSH server with easy-to-use two-factor
authentication? Google provides the necessary software to integrate
Google Authenticator’s time-based one-time password (TOTP) system with
your SSH server. You’ll have to enter the code from your phone when you
connect.
Google Authenticator doesn’t “phone home” to Google — all the work
happens on your SSH server and your phone. In fact, Google Authenticator
is completely open-source, so you can even examine its source code yourself.

Install Google Authenticator

To implement multifactor authentication with Google Authenticator,
we’ll need the open-source Google Authenticator PAM module. PAM stands
for “pluggable authentication module” – it’s a way to easily plug
different forms of authentication into a Linux system.
Ubuntu’s software repositories contain an easy-to-install package for
the Google Authenticator PAM module. If your Linux distribution doesn’t
contain a package for this, you’ll have to download it from the Google Authenticator downloads page on Google Code and compile it yourself.
To install the package on Ubuntu, run the following command:

sudo apt-get install libpam-google-authenticator

(This will only install the PAM module on our system – we’ll have to activate it for SSH logins manually.)

Create an Authentication Key

Log in as the user you’ll be logging in with remotely and run the google-authenticator command to create a secret key for that user.
Allow the command to update your Google Authenticator file by typing
y. You’ll then be prompted with several questions that will allow you to
restrict uses of the same temporary security token, increase the time
window that tokens can be used for, and limit allowed acces attempts to
hinder brute-force cracking attempts. These choices all trade some
security for some ease-of-use.
Google Authenticator will present you with a secret key and several
“emergency scratch codes.” Write down the emergency scratch codes
somewhere safe – they can only be used one time each, and they’re
intended for use if you lose your phone.
Enter the secret key in the Google Authenticator app on your phone (official apps are available for Android, iOS, and Blackberry).
You can also use the scan barcode feature – go to the URL located near
the top of the command’s output and you can scan a QR code with your
phone’s camera.
You’ll now have a constantly changing verification code on your phone.
If you want to log in remotely as multiple users, run this command
for each user. Each user will have their own secret key and their own
codes.

Activate Google Authenticator

Next you’ll have to require Google Authenticator for SSH logins. To do so, open the /etc/pam.d/sshd file on your system (for example, with the sudo nano /etc/pam.d/sshd command) and add the following line to the file:

auth required pam_google_authenticator.so

Next, open the /etc/ssh/sshd_config file, locate the ChallengeResponseAuthentication line, and change it to read as follows:

ChallengeResponseAuthentication yes

(If the ChallengeResponseAuthentication line doesn’t already exist, add the above line to the file.)
Finally, restart the SSH server so your changes will take effect:

sudo service ssh restart

You’ll be prompted for both your password and Google Authenticator code whenever you attempt to log in via SSH.